Skip to main content
  1. Home
  2. Computing
  3. News

Latest bugs in LastPass allowed attackers to steal passwords

By

A hand on a laptop in a dark surrounding.
Image used with permission by copyright holder
Password manager LastPass is patching a number of critical vulnerabilities in its software that left users’ passwords potentially leaking.

No software is ever totally safe and while password managers can offer a degree of security and convenience, they are not impervious as these security flaws demonstrate.

Recommended Videos

The latest bugs were discovered by Google Project Zero researcher Tavis Ormandy, who is renown for finding and disclosing flaws in security software. Ormandy said he found a vulnerability that allows for the stealing of passwords by running a binary version of the password manager’s extension.

Related

In a proof of concept, Ormandy demonstrated using the code to launch an application. He opened the calculator in Windows but, he said, a malicious actor could use this code to steal password details when the manager is entering them into the login fields.

“That doesn’t look good, this script will proxy unauthenticated window messages to the extension. This is clearly a mistake, because anybody can do [it],” he wrote in his advisory.

“Therefore, this allows complete access to internal privileged LastPass RPC [remote procedure calls] commands,” he said.

I found another bug in LastPass 4.1.35 (unpatched), allows stealing passwords for any domain. Full report will be on the way shortly. pic.twitter.com/9VkV7R3vud

— Tavis Ormandy (@taviso) March 21, 2017

LastPass said in a tweet that this has been fixed and promised a blog post with more details on what went wrong but the post has yet to materialize.

Ormandy also found remote code execution vulnerabilities in the password manager’s Chrome and Firefox extensions. The Chrome bug has since been patched but the Firefox version remains unpatched for now but this may be due to a hold up on Mozilla’s end.

“We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix,” said LastPass on Tuesday night.

This isn’t the first time that Ormandy has poked holes in LastPass’ software. In 2016, he disclosed a Firefox-related flaw that would have allowed an attacker to access someone’s extension, without them knowing, and delete the passwords.

Editors' Recommendations

Topics
Jonathan Keane
Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
Best gaming laptop deals: Alienware, Razer, Asus and more
An Alienware m16 gaming laptop in use on a desk, playing Baldur's Gate III.

Gaming can be a lot of fun, but if you're the sort of person who doesn't want to deal with a big gaming desktop, then going for a gaming laptop makes a lot of sense. Of course, you aren't going to get as much power under the hood as you would with a desktop, and it might cost a bit more, but you do get a lot of mobility and an included screen in the process. Either way, modern gaming laptops have become really great, and even the budget-oriented stuff can play some of the best PC games out there.

To that end, we've gone out and collected some of our favorite gaming laptop deals out there. On the other hand, if you don't want something that yells "gaming laptop," check out some of these other laptop deals that include more traditional-looking laptops with some gaming specs.
IdeaPad Gaming 3 gaming laptop -- $617, was $950

Read more
Best Antivirus Deals: Protect your PC or Mac from just $35
norton 360 deluxe with lifelock deal best buy december 2021 antivirus shutterstock stock image

If you just grabbed one of these desktop deals or laptop deals, then you may want to also consider arming yourself with one of the best antivirus programs on the market. That's especially true since the antiviruses that tend to come with these deals only last 30 days or so and don't even include the full suite of tools. So, if you want protection against everything from viruses to phishing scams, then be sure to check our favorite antivirus deals below.
NortonLifeLock 360 Deluxe -- $35, was $90

Norton products are a firm fixture amongst the best antivirus software for good reason. They're simple to use and typically cover all the devices you could need to protect. In the case of NortonLifeLock, you get so much more than just antivirus protection too. The software package covers up to five devices at once meaning it will happily work on your Windows, Mac, Android, and iOS systems all at once without a problem. That means all your devices will be regularly monitored for any nefarious files or any other potential issues relating to malware or similar. Real-time protection means there's nothing you need to do other than keep an eye out for any alerts from the service. It's great peace of mind but Norton LifeLock 360 Deluxe goes further than that.

Read more
Best Samsung monitor deals: 4K monitors, ultrawide, and more
Press image of the Samsung ViewFinity S9 studio monitor.

Samsung is probably one of the most well-known electronics companies, making everything from some of the best phones on the market to washers and driers, so it has a huge pedigree in the tech field. That pedigree also extends to monitors, as it also makes some of the best monitors and best gaming monitors on the market as well, so if you're looking to buy a new one, grabbing a Samsung on is a pretty smart choice. Of course, there's a huge selection of monitors to pick from, which is why we've gone out and selected some of our favorite Samsung monitor deals and compiled them for you below.

Also, if you're not quite sure what monitor to buy, check out our computer monitor buying guide to get a better sense of what you need. And, if you don't find it among Samsung monitors, you can always check some other great monitor deals as well.
Samsung 22-inch T350 Full HD monitor -- $100, was $120

Read more